What is the best way to save credentials in lambda?

Question

I need to access some credentials on lambda functions and one way to do that is to put them in environment variables.

However, the values of these credentials are visible in the lambda console. I am thinking to put them in secret manager or parameter store and put the key as env in lambda. Then load the value in lambda at runtime.

However, this approach is secure but give some latency. I am not sure how much latency it gives. Is there a better solution for that?

Answer 1

The Lambda variables are actually encrypted already, the decrypted values are shown from the console but if the user does not have permission for the key they will not be able to see them.

As you suggested you have the solutions of:

• Secrets Manager
• Systems Manager Parameter Store (use a SecureString).

The benefits that you will get by using either of these solutions is that you can change them outside of the version you're using as well as across a number of Lambda functions simultaneously.

You will also have an increased latency from trying to reach these service endpoints which would lead to a slight increase in time. You could reduce this latency by having your Lambda within a VPC and use VPC endpoints to the service (which will allow direct private communication over using the public internet) but it will still be longer than environment variables.

Ultimately this choice is for you, if you do need to reuse the variables and can put up with the slight latency then use secrets manager or systems manager parameter store. Otherwise manage the KMS permissions so that not every user can access the get to decrypt.